aikido-zen 1.0.2.beta.9-x86_64-linux-musl → 1.0.2-x86_64-linux-musl

data/lib/aikido/zen/middleware/rack_throttler.rb

@@ -33,8 +33,10 @@ module Aikido::Zen
       private
 
       def should_throttle?(request)
+        # Bypass rate limiting for allowed IPs
+        return false if @settings.allowed_ips.include?(request.ip)
+
         return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-        return false if @settings.skip_protection_for_ips.include?(request.ip)
 
         result = @detached_agent.calculate_rate_limits(request)
 

data/lib/aikido/zen/middleware/request_tracker.rb

@@ -5,8 +5,9 @@ module Aikido::Zen
     # Rack middleware used to track request
     # It implements the logic under that which is considered worthy of being tracked.
     class RequestTracker
-      def initialize(app)
+      def initialize(app, settings: Aikido::Zen.runtime_settings)
         @app = app
+        @settings = settings
       end
 
       def call(env)
@@ -16,7 +17,8 @@ module Aikido::Zen
         if request.route && track?(
           status_code: response[0],
           route: request.route.path,
-          http_method: request.request_method
+          http_method: request.request_method,
+          ip: request.ip
         )
           Aikido::Zen.track_request(request)
 
@@ -126,7 +128,10 @@ module Aikido::Zen
       # @param status_code [Integer]
       # @param route [String]
       # @param http_method [String]
-      def track?(status_code:, route:, http_method:)
+      def track?(status_code:, route:, http_method:, ip: nil)
+        # Bypass request and route tracking for allowed IPs
+        return false if @settings.allowed_ips.include?(ip)
+
         # In the UI we want to show only successful (2xx) or redirect (3xx) responses
         # anything else is discarded.
         return false unless status_code >= 200 && status_code <= 399

data/lib/aikido/zen/outbound_connection.rb

@@ -25,13 +25,23 @@ module Aikido::Zen
     # @return [Integer] the port number to which the connection was attempted.
     attr_reader :port
 
+    # @return [Integer] the number of times that this connection was seen by
+    #   the hosts collector.
+    attr_reader :hits
+
     def initialize(host:, port:)
       @host = host
       @port = port
     end
 
+    def hit
+      # Lazy initialize @hits, so it stays nil until the connection is tracked.
+      @hits ||= 0
+      @hits += 1
+    end
+
     def as_json
-      {hostname: host, port: port}
+      {hostname: host, port: port, hits: hits}.compact
     end
 
     def ==(other)

data/lib/aikido/zen/rails_engine.rb

@@ -12,8 +12,9 @@ module Aikido::Zen
     initializer "aikido.add_middleware" do |app|
       app.middleware.insert_before 0, Aikido::Zen::Middleware::ForkDetector
 
-      app.middleware.use Aikido::Zen::Middleware::SetContext
-      app.middleware.use Aikido::Zen::Middleware::CheckAllowedAddresses
+      app.middleware.use Aikido::Zen::Middleware::ContextSetter
+      app.middleware.use Aikido::Zen::Middleware::AllowedAddressChecker
+      app.middleware.use Aikido::Zen::Middleware::AttackWaveProtector
       # Request Tracker stats do not consider failed request or 40x, so the middleware
       # must be the last one wrapping the request.
       app.middleware.use Aikido::Zen::Middleware::RequestTracker

data/lib/aikido/zen/request/rails_router.rb

@@ -62,16 +62,31 @@ module Aikido::Zen
       nil
     end
 
-    private def build_route(route, request, prefix: request.script_name)
+    private
+
+    def build_route(route, request, prefix: request.script_name)
       route_wrapper = ActionDispatch::Routing::RouteWrapper.new(route)
 
       path = if prefix.present?
-        File.join(prefix.to_s, route_wrapper.path).chomp("/")
+        prefix_route_path(prefix.to_s, route_wrapper.path)
       else
         route_wrapper.path
       end
 
       Aikido::Zen::Route.new(verb: request.request_method, path: path)
     end
+
+    def prefix_route_path(string1, string2)
+      # The strings appear to start with "/", allowing them to be concatenated
+      # directly after removing trailing "/". However, as it is not currently
+      # known whether this is guaranteed, we insert a separator when necessary.
+
+      separator = string2.start_with?("/") ? "" : "/"
+
+      string1 = string1.chomp("/")
+      string2 = string2.chomp("/")
+
+      "#{string1}#{separator}#{string2}"
+    end
   end
 end

data/lib/aikido/zen/request.rb

@@ -22,13 +22,11 @@ module Aikido::Zen
       @config = config
       @framework = framework
       @router = router
-      @body_read = false
     end
 
     def __setobj__(delegate) # :nodoc:
       super
-      @body_read = false
-      @route = @normalized_header = @truncated_body = nil
+      @route = @normalized_header = nil
     end
 
     # @return [Aikido::Zen::Route] the framework route being requested.
@@ -41,8 +39,6 @@ module Aikido::Zen
       @schema ||= Aikido::Zen::Request::Schema.build
     end
 
-    # @api private
-    #
     # @return [String] the IP address of the client making the request.
     def client_ip
       return @client_ip if @client_ip
@@ -74,42 +70,12 @@ module Aikido::Zen
         }
     end
 
-    # @api private
-    #
-    # Reads the first 16KiB of the request body, to include in attack reports
-    # back to the Aikido server. This method should only be called if an attack
-    # is detected during the current request.
-    #
-    # If the underlying IO object has been partially (or fully) read before,
-    # this will attempt to restore the previous cursor position after reading it
-    # if possible, or leave if rewund if not.
-    #
-    # @param max_size [Integer] number of bytes to read at most.
-    #
-    # @return [String]
-    def truncated_body(max_size: 16384)
-      return @truncated_body if @body_read
-      return nil if body.nil?
-
-      begin
-        initial_pos = body.pos if body.respond_to?(:pos)
-        body.rewind
-        @truncated_body = body.read(max_size)
-      ensure
-        @body_read = true
-        body.rewind
-        body.seek(initial_pos) if initial_pos && body.respond_to?(:seek)
-      end
-    end
-
     def as_json
       {
-        method: request_method.downcase,
+        method: request_method.upcase,
         url: url,
         ipAddress: client_ip,
         userAgent: user_agent,
-        headers: normalized_headers.reject { |_, val| val.to_s.empty? },
-        body: truncated_body,
         source: framework,
         route: route&.path
       }

data/lib/aikido/zen/route.rb

@@ -39,8 +39,58 @@ module Aikido::Zen
       [verb, path].hash
     end
 
+    # Sort routes by wildcard matching order deterministically:
+    #
+    #   1. Exact path before wildcard path
+    #   2. Fewer wildcards in path relative to path length
+    #   3. Earliest wildcard position in path
+    #   4. Exact verb before wildcard verb
+    #   5. Lexicographic path (tie-break)
+    #   6. Lexicographic verb (tie-break)
+    #
+    # @return [Array] the sort key
+    def sort_key
+      @sort_key ||= begin
+        stars = []
+        i = -1
+        while (i = path.index("*", i + 1))
+          stars << i
+        end
+
+        [
+          stars.empty? ? 0 : 1,
+          stars.length - path.length,
+          stars,
+          (verb == "*") ? 1 : 0,
+          path,
+          verb
+        ].freeze
+      end
+    end
+
+    def match?(other)
+      other.is_a?(Route) &&
+        pattern(verb).match?(other.verb) &&
+        pattern(path).match?(other.path)
+    end
+
     def inspect
       "#<#{self.class.name} #{verb} #{path.inspect}>"
     end
+
+    # Construct a regular expression equivalent to the wildcard string,
+    # where '*' is the wildcard operator.
+    #
+    # The resulting pattern matches the entire input, allows an optional
+    # trailing slash, and is case-insensitive.
+    #
+    # All other special characters in the regular expression are escaped
+    # so that they are treated literally.
+    #
+    # @param string [String] wildcard string
+    # @return [Regexp] regular expression matching the wildcard string
+    private def pattern(string)
+      /^#{Regexp.escape(string).gsub("\\*", ".*")}\/?$/i
+    end
   end
 end

data/lib/aikido/zen/runtime_settings/endpoints.rb

@@ -16,24 +16,53 @@ module Aikido::Zen
     # @param data [Array<Hash>]
     # @return [Aikido::Zen::RuntimeSettings::Endpoints]
     def self.from_json(data)
-      data = Array(data).map { |item|
-        route = Route.new(verb: item["method"], path: item["route"])
-        settings = RuntimeSettings::ProtectionSettings.from_json(item)
+      endpoint_pairs = Array(data).map do |value|
+        route = Route.new(verb: value["method"], path: value["route"])
+        settings = RuntimeSettings::ProtectionSettings.from_json(value)
         [route, settings]
-      }.to_h
+      end
 
-      new(data)
+      # Sort endpoints by wildcard matching order
+      endpoint_pairs.sort_by! do |route, settings|
+        route.sort_key
+      end
+
+      new(endpoint_pairs.to_h)
     end
 
-    def initialize(data = {})
-      @endpoints = data
+    # @param endpoints [Hash] the endpoints in wildcard matching order
+    # @return [Aikido::Zen::RuntimeSettings::Endpoints]
+    def initialize(endpoints = {})
+      @endpoints = endpoints
       @endpoints.default = RuntimeSettings::ProtectionSettings.none
     end
 
     # @param route [Aikido::Zen::Route]
     # @return [Aikido::Zen::RuntimeSettings::ProtectionSettings]
     def [](route)
-      @endpoints[route]
+      return @endpoints[route] if @endpoints.key?(route)
+
+      # Wildcard endpoint matching
+
+      @endpoints.each do |pattern, settings|
+        return settings if pattern.match?(route)
+      end
+
+      @endpoints.default
+    end
+
+    # @param route [Aikido::Zen::Route]
+    # @return [Array<Aikido::Zen::RuntimeSettings::ProtectionSettings>]
+    def match(route)
+      matches = []
+
+      @endpoints.each do |pattern, settings|
+        matches << settings if pattern.match?(route)
+      end
+
+      matches << @endpoints.default if matches.empty?
+
+      matches
     end
 
     # @!visibility private

data/lib/aikido/zen/runtime_settings.rb

@@ -11,11 +11,11 @@ module Aikido::Zen
   #
   # You can subscribe to changes with +#add_observer(object, func_name)+, which
   # will call the function passing the settings as an argument.
-  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :skip_protection_for_ips, :received_any_stats) do
+  RuntimeSettings = Struct.new(:updated_at, :heartbeat_interval, :endpoints, :blocked_user_ids, :allowed_ips, :received_any_stats, :blocking_mode) do
     def initialize(*)
       super
       self.endpoints ||= RuntimeSettings::Endpoints.new
-      self.skip_protection_for_ips ||= RuntimeSettings::IPSet.new
+      self.allowed_ips ||= RuntimeSettings::IPSet.new
     end
 
     # @!attribute [rw] updated_at
@@ -35,7 +35,7 @@ module Aikido::Zen
     # @!attribute [rw] blocked_user_ids
     #   @return [Array]
 
-    # @!attribute [rw] skip_protection_for_ips
+    # @!attribute [rw] allowed_ips
     #   @return [Aikido::Zen::RuntimeSettings::IPSet]
 
     # Parse and interpret the JSON response from the core API with updated
@@ -53,8 +53,9 @@ module Aikido::Zen
       self.heartbeat_interval = data["heartbeatIntervalInMS"].to_i / 1000
       self.endpoints = RuntimeSettings::Endpoints.from_json(data["endpoints"])
       self.blocked_user_ids = data["blockedUserIds"]
-      self.skip_protection_for_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
+      self.allowed_ips = RuntimeSettings::IPSet.from_json(data["allowedIPAddresses"])
       self.received_any_stats = data["receivedAnyStats"]
+      self.blocking_mode = data["block"]
 
       updated_at != last_updated_at
     end

data/lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -21,14 +21,15 @@ module Aikido::Zen
       # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
       def self.call(filepath:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(filepath, payload.value).attack?
+          next unless new(filepath, payload.value.to_s).attack?
 
           return Attacks::PathTraversalAttack.new(
             sink: sink,
             input: payload,
             filepath: filepath,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/shell_injection_scanner.rb

@@ -16,14 +16,15 @@ module Aikido::Zen
       #
       def self.call(command:, sink:, context:, operation:)
         context.payloads.each do |payload|
-          next unless new(command, payload.value).attack?
+          next unless new(command, payload.value.to_s).attack?
 
           return Attacks::ShellInjectionAttack.new(
             sink: sink,
             input: payload,
             command: command,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/sql_injection_scanner.rb

@@ -32,7 +32,7 @@ module Aikido::Zen
         end
 
         context.payloads.each do |payload|
-          next unless new(query, payload.value, dialect).attack?
+          next unless new(query, payload.value.to_s, dialect).attack?
 
           return Attacks::SQLInjectionAttack.new(
             sink: sink,
@@ -40,7 +40,8 @@ module Aikido::Zen
             input: payload,
             dialect: dialect,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
         end
 

data/lib/aikido/zen/scanners/ssrf_scanner.rb

@@ -51,7 +51,8 @@ module Aikido::Zen
             request: request,
             input: payload,
             context: context,
-            operation: "#{sink.operation}.#{operation}"
+            operation: "#{sink.operation}.#{operation}",
+            stack: Aikido::Zen.clean_stack_trace
           )
 
           return attack

data/lib/aikido/zen/scanners/stored_ssrf_scanner.rb

@@ -20,7 +20,8 @@ module Aikido::Zen
           address: offending_address,
           sink: sink,
           context: context,
-          operation: "#{sink.operation}.#{operation}"
+          operation: "#{sink.operation}.#{operation}",
+          stack: Aikido::Zen.clean_stack_trace
         )
       end
 
@@ -44,6 +45,9 @@ module Aikido::Zen
 
       DANGEROUS_ADDRESSES = [
         IPAddr.new("169.254.169.254"),
+        IPAddr.new("100.100.100.200"),
+        IPAddr.new("::ffff:169.254.169.254"),
+        IPAddr.new("::ffff:100.100.100.200"),
         IPAddr.new("fd00:ec2::254")
       ]
     end

data/lib/aikido/zen/sinks/action_controller.rb

@@ -43,8 +43,10 @@ module Aikido::Zen
         end
 
         private def should_throttle?(request)
+          # Bypass rate limiting for allowed IPs
+          return false if @settings.allowed_ips.include?(request.ip)
+
           return false unless @settings.endpoints[request.route].rate_limiting.enabled?
-          return false if @settings.skip_protection_for_ips.include?(request.ip)
 
           result = @detached_agent.calculate_rate_limits(request)
           return false unless result

data/lib/aikido/zen/sinks/file.rb

@@ -82,38 +82,40 @@ module Aikido::Zen
           end
 
           def join(*args, **kwargs, &blk)
-            # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
-            #
-            # File.join has undocumented behavior:
-            #
-            # File.join recursively joins nested string arrays.
-            #
-            # This prevents path traversal detection when an array originates
-            # from user input that was assumed to be a string.
-            #
-            # This undocumented behavior has been restricted to support path
-            # traversal detection.
-            #
-            # File.join no longer joins nested string arrays, but still accepts
-            # a single string array argument.
-
-            # File.join is often incorrectly called with a single array argument.
-            #
-            # i.e.
-            #
-            # File.join(["prefix", "filename"])
-            #
-            # This is considered acceptable.
-            #
-            # Calling File.join with a single string argument returns the string
-            # argument itself, having no practical effect. Therefore, it can be
-            # presumed that if File.join is called with a single array argument
-            # then this was its intended usage, and the array did not originate
-            # from user input that was assumed to be a string.
-            strings = args
-            strings = args.first if args.size == 1 && args.first.is_a?(Array)
-            strings.each do |string|
-              raise TypeError.new("Zen prevented implicit conversion of Array to String") if string.is_a?(Array)
+            if Aikido::Zen.config.harden?
+              # IMPORTANT: THE BEHAVIOR OF THIS METHOD IS CHANGED!
+              #
+              # File.join has undocumented behavior:
+              #
+              # File.join recursively joins nested string arrays.
+              #
+              # This prevents path traversal detection when an array originates
+              # from user input that was assumed to be a string.
+              #
+              # This undocumented behavior has been restricted to support path
+              # traversal detection.
+              #
+              # File.join no longer joins nested string arrays, but still accepts
+              # a single string array argument.
+
+              # File.join is often incorrectly called with a single array argument.
+              #
+              # i.e.
+              #
+              # File.join(["prefix", "filename"])
+              #
+              # This is considered acceptable.
+              #
+              # Calling File.join with a single string argument returns the string
+              # argument itself, having no practical effect. Therefore, it can be
+              # presumed that if File.join is called with a single array argument
+              # then this was its intended usage, and the array did not originate
+              # from user input that was assumed to be a string.
+              strings = args
+              strings = args.first if args.size == 1 && args.first.is_a?(Array)
+              strings.each do |string|
+                raise TypeError.new("Zen prevented implicit conversion of Array to String in hardened method. Visit https://github.com/AikidoSec/firewall-ruby for more information.") if string.is_a?(Array)
+              end
             end
 
             result = join__internal_for_aikido_zen(*args, **kwargs, &blk)

data/lib/aikido/zen/sinks/socket.rb

@@ -68,6 +68,13 @@ module Aikido::Zen
             # :nocov:
             Helpers.scan(remote_host, socket, "open")
             # :nocov:
+          rescue Aikido::Zen::UnderAttackError, Aikido::Zen::Sinks::DSL::PresafeError
+            # If the scan raises an exception that will escape the safe block,
+            # the open socket must be closed because it will not be returned,
+            # so the user cannot close it.
+            socket.close
+
+            raise
           end
         end
       end

data/lib/aikido/zen/system_info.rb

@@ -8,12 +8,8 @@ require_relative "package"
 module Aikido::Zen
   # Provides information about the currently running Agent.
   class SystemInfo
-    def initialize(config = Aikido::Zen.config)
-      @config = config
-    end
-
     def attacks_block_requests?
-      !!@config.blocking_mode
+      !!Aikido::Zen.blocking_mode?
     end
 
     def attacks_are_only_reported?

data/lib/aikido/zen/version.rb

@@ -2,7 +2,7 @@
 
 module Aikido
   module Zen
-    VERSION = "1.0.2.beta.9"
+    VERSION = "1.0.2"
 
     # The version of libzen_internals that we build against.
     LIBZEN_VERSION = "0.1.48"